The vulnerability is due to crafted HTTP request by passing large value in Range header, IIS fails to validate the value properly leading to Denial of Service (Unresponsive or Blue Screen of Death) and possible Code Execution.

To trigger the vulnerability request a resource which must be present on the IIS web server, I used sample files (img.jpg, index.html in this demo.)

To understand the risk it is import to know what HTTP.sys does. Here is what Microsoft’s documentation has to say about it,

According to the published Microsoft Security Bulletin, MS15-034 is a remote code execution vulnerability caused by HTTP.sys improperly parsing specially crafted HTTP requests. Specifically this exploit can be triggered using the Range header of an HTTP request, causing an Integer overflow. While the bulletin indicates Remote Code Execution is possible (and as such rates this vulnerability as Critical), so far I have only been able to generate a Denial of Service condition and have not yet seen any RCE code in the wild (though I’m sure someone is working hard at it). Before I get into the details of the vulnerability, let’s take a quick look at HTTP.sys and its purpose.

HTTP.sys:

HTTP.sys ( HTTP Protocol Stack) is a Windows kernel-mode device driver which, as stated in Microsoft’s Introduction to IIS Architectures, “listens for HTTP requests from the network, passes the requests onto IIS for processing, and then returns processed responses to client browsers”. It is responsible for providing Kernel-mode caching, Kernel-mode request queuing, and request pre-processing and security filtering.

Kernel-mode caching which improves performance by serving all cached content requests directly from kernel-mode, appears to be the culprit in this vulnerability. Although Microsoft does cite disabling IIS Kernel caching as a possible workaround, it may cause too much performance degradation on production web servers to be very practical.

Range Header:

This vulnerability can be triggered via the Range header. The Range header is used in an HTTP request to return a portion (or range of bytes) of a given resource. Take for example, the following requests that illustrate how to obtain a index.html file using the Range header.HTTP.sys provides the following benefits:

Kernel-mode caching. Requests for cached responses are served without switching to user mode.

Kernel-mode request queuing. Requests cause less overhead in context switching because the kernel forwards requests directly to the correct worker process. If no worker process is available to accept a request, the kernel-mode request queue holds the request until a worker process picks it up.

Request pre-processing and security filtering.

Because the software is running in kernel mode successful exploitation can have serious consequences for the system. Unlike exploits in user mode software, kernel mode exploits may bypass memory protections, possibly allowing an attacker to cause a system crash. Microsoft indicates the vulnerability could allow remote code execution, and published work others have does that is currently circulation appears to offer partial confirmation. If this proves to be true the vulnerability could be used to obtain system level access.

How it works:

The vulnerability is very similar to those that have been seen in the Apache web server in the past. A value is passed to the HTTP Range header that will over flow the 64-bit integer the software allocates to store it, when converted from the text of the HTTP request. Normally the Range header is used by clients to request part of a document. Trigging the overflow may allow an attacker to cause memory or file access outside the expected boundaries.
Original PoC was posted on Vulnerability in “HTTP.sys Could Allow Remote Code Execution”.

This vulnerability isn’t restricted to IIS, it’s a Windows wide issue, affecting any software on any device that uses Windows HTTP stack. It can be used to enable a DoS attack, it allows remote code execution, and if that isn’t disturbing enough it can also be triggered from outside a network with a simple HTTP request.

We’ve not seen any hard factual proof of its exploitability as yet, but there is plenty of healthy speculation, comment, and PoC code. It’s worth remembering that PoC code like this usually comes from people reverse engineering the patch with patch and vulnerability checkers in the public domain. What we don’t know is what people may have discovered who are doing this privately.

Successful attack will lead to Dos, following are the error messages which I observed

PAGE_FAULT_IN_NONPAGED_AREA

We will see following error message once the Server comes up after recovering from Dos.

No authentication required to trigger Dos, Patch Immediately!!!

Patches are available from Microsoft for Windows 2003, Vista, 2008, 7, 2008 R2, 8, 2012, 8.1, and 2012 R2. As detection of this vulnerability is prone to false positives, the following command should be issued on the host in question to test for the MS15-034 patch: